Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Project Zero researcher highlights stubborn iOS bugs as an example of why Apple and the rest of the industry needs to take a fresh approach to securing systems.

LAS VEGAS – Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability.

Since 2016, the Project Zero team member said he has found over 30 iOS bugs. In his Black Hat session “A Brief History of Mitigation: The Path to EL1 in iOS 11” he reviewed the “async_wake” exploit for iOS 11.1.2 he released in December along with reviewing nearly a half dozen additional bugs he suggested Apple dragged its feet to fix.

Beer said he doesn’t blame individual security researchers. Instead, he saved his criticism toward organizations with security leads that have an academic background versus an exploit background.

“Undeniably these people have really strong engineering security skillsets. But, they don’t have an exploitation background… Their focus is on the design of the system and not on exploitation,” he said. “Please, we need to stop just spot-fixing bugs and learn from them, and act on that.”

Beer said each bug needs to be a lesson where a security lead needs to ask: “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could of found [the bug] earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”

And in a provocative call to Apple’s CEO Tim Cook, Beer directly challenged him to donate $2.5 million to Amnesty International – roughly the equivalence of bug bounty earnings for Beer’s 30-plus discovered iOS vulnerabilities.

“Two years ago on this stage Apple announced a bug bounty program… Apple said it welcomed people to join the program,” Beer said. Part of Apple’s pitch to the entire research community was that all bugs would be taken seriously and Apple would consider rewards to bounty hunters outside the program in an altruistic quest to secure the platform. Apple said in lieu of a bounty payments it would consider donating to a charity of the researcher’s choice.

Beer called on Cook to donate any bounty rewards Apple might be willing to share with Beer to Amnesty International.

Beer singled out the charity because of a recent attack against it. Earlier this month, Amnesty International released a report asserting it was targeted by a nation-state adversary who used the mobile cyberweapon known as Pegasus – sold by Israel-based company NSO Group. Beer noted that the messages sent by adversaries appeared to be iMessages.

In 2016, Citizen Lab and Lookout found that Pegasus was being used to take control of Apple devices using three zero-day iOS vulnerabilities, collectively called Trident. Amnesty reported both Android and iOS phones were targeted during its attacks.

Beer suggested that Apple needed to better lock down iOS because APT victims and alike are increasingly the users of iPhones. He cited another reported incident where backers of an anti-obesity tax on soda in Mexico were targets in an attack that singled out iPhone users with text messages that linked the Pegasus spyware.

“Targeted exploitation is more widespread than you think,” he said. He noted that Pegasus had moved from nation state attacks to what appeared to be attacks by a pro-sugary soft drink ring.

Beer called any security approach that uses bug fixes as a yardstick for safety flawed. He called it a “comfort blanket” that offered only an illusion of progress. The time of isolated security fixes is over, he said – and the goal is understanding root causes and mitigating against those.

Discussion

"What process problems need to be addressed so we could of found it earlier?" - did Beer write it like that, or did you just hear him saying it and you wrote it down? I don't want to be a grammar nazi, English is my fourth language .. but FFS, it's "could have" which shortens as "could've", not "could of"!

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.